Malicious APK File Impersonates Word Application

An independent security firm has discovered at least several hundred new infections in the wild infecting Android devices. The infection is borne out of a malware that pretends to be a Word document.

Researchers at ZScaler, a security firm have uncovered a new malware strain that takes a simplistic approach to tricking users into installing it, by means of faking a popular application. The malware pretends to be a Word application, complete with the ‘W’ logo.

After a successful exploit of an infected device, the malware, now with elevated privileges steals crucial device information such as IMEI and SIM card details, along with the device ID. Furthermore, the phonebook complete with

  • personal information of the owner
  • SMS messages on the phone
  • Contacts’ information

The entirety of the above data is compromised after the malware collects the information before emaiing over to the attackers who operate remotely, reports ZScaler.

Related Article: Verizon & AT&T Android Devices Vulnerable Due to LTE Flaw

The technique used to infect a victim’s device is one used by attackers who took to exploiting early Windows devices, years ago. Popular names and catchy titles were routinely used with the matching icons to get victims to open the file and trigger the payload. This malware preys its victims in a similar manner.

Infostealer APK

The researchers have aptly named the malware ‘Infostealer’ for the way it pulls off a complete compromise of phone and contact details.

The application even replicates a fake error message when a victim is under the impression that he or she is installing Microsoft’s word app.

The error reads: “Installation errors, this software is not compatible with the phone” for a few moments.

While this occurs, the fake Word app is executing a few intrusive commands in the background.

  • SMS messages from the phone are sent to the malware developer’s number.
  • An Android service called MyService is triggered.
  • An asynchronous thread named SmsTask also starts running in the background.
  • Another thread called MailTalk starts to run, also in the background.
  • The application also calls phone numbers specified by the malware developer.

According to the authors of the report, the compromise of information on the phone could lead to a disastrous outcome. Banking details and other critical information can be stored in an SMS message which is relayed to the attacker, leading to the possibility of financial and identity theft.

Already, Zscaler is indicating that as many as 300 victims have fallen for the fake Word application’s ways in under a month of it being out in the wild.